Go to the Mobile tab, scroll down to the Exchange ActiveSync Settings and click Edit.
Screenshot

Select Enable Exchange ActiveSync.

Enter a profile name.

Select Enable certificate-based authentication for iOS.

Click Download root certificate.

For use later in this procedure, copy and paste the Certificate Revocation List URL and the Delta Certificate Revocation List URL into a text editor.
Screenshot

Stop: Do not click Save yet. You must complete the PowerShell actions detailed in Step 2 before you save your Exchange ActiveSync settings. If you save now and then encounter a problem when enabling ActiveSync Cert Based Authentication in Office 365, your users may not be able to access their mail app.

From a Windows command line, enable ActiveSync Cert Based Authentication in Office 365:

Launch Azure PowerShell 5.0 (64-bit) as an Administrator.

Important: An error message appears if you try to use the x86 (32-bit) version of PowerShell.

Issue the following command to install the AzureAD module for PowerShell:

Install-Module -Name AzureAD –RequiredVersion 2.0.0.33

If the message NuGet provider is required to continue appears, click Yes to install and import NuGet provider.

If the message Untrusted repository appears, click Yes to All to install the required modules.

In PowerShell, issue the following command to connect to your Azure AD tenant and authenticate to Office 365:

(Optional) Issue the following commands to help troubleshoot your configuration, if necessary:

If you want to add the existing Certificate Authorities to a variable:

$c=Get-AzureADTrustedCertificateAuthority

If you want to remove a Certificate Authority, issue the following command and choose the correct certificate. Numbering begins at 0 (zero). For example, to remove the first certificate, enter 0 as shown below:

Continuous password prompt caused by duplicate EAS profiles — iOS 9.3 and iOS 10.2 device users who manually configure the native iOS mail app before enrolling in OMM will have duplicate EAS profiles on their device after OMM enrollment pushes a certificate-based profile to their device automatically. On iOS 9.3 devices, this duplication may cause confusion. On iOS 10.2 devices, in addition to the profile duplication issue, the manually-configured profile does not receive email and continuously prompts for a password. To address these issues, we recommend that you advise your users to delete the manually-configured profile from their device. As shown in this example, the password prompt appears continuously.

Currently, this feature supports only the native iOS mail app on iOS devices.

Block access to Outlook for iOS or Android — If you don't want your end users to access Outlook for iOS or Android, you can block access as described in the Microsoft article Enabling Outlook for iOS and Android in Exchange Online. Scroll down to Blocking Outlook for iOS and Android.

CRL cache must refresh — When Okta revokes a certificate — or if the trusted root CA certificate is removed from Exchange Online/O365/Azure AD — CBA EAS-enabled devices using the certificate can still access email until the next time Office 365 invalidates the Certificate Revocation List (CRL) cache and refreshes the CRL. When the cache is refreshed, Microsoft denies the device access to email. Microsoft cache expires once every 24 hours, or whenever the device switches to a different Wi-Fi network.

More than one OS type in the header when using the Outlook mail app — When Okta receives a request from the Outlook Mail app on iOS and Android devices, the header contains both iOS and Android, which prevents Okta from precisely identifying the OS type. To ensure that the client access policy is applied in this case, select the Others option in the Mobile (Exchange ActiveSync) client access policy. For more information, see Configuring Rules for Office 365 Client Access Policies.